Guidelines to convert from VM:Director to VM:Secure


Article ID: 50024


Updated On:


CA VM:Director for z/VM CA Mainframe VM Product Manager CA VM:Manager Suite for Linux on System z CA VM:Manager Suite for z/VM VM SUITE CA VM:Secure for z/VM




Here is some information that will help you convert from using VM:Director to using VM:Secure.

These are the general steps that need to be accomplished:

  1. Install VM:Secure
  2. Stop VM:Director directory management (Sunset VMDIRECT)
  3. Merge/copy pertinent files from VM:Director to VM:Secure
  4. Get directory management working on VM:Secure
  5. Install Rules and PEF if desired
  6. Removing VM:Director from the system




We recommend you do this process on a test system prior to converting your production VMDIRECT to VMSECURE.

Make sure to keep VMDIRECT logged on until you can get directory management working on VM:Secure. Just in case things don't go as planned, you can go back and get VM:Direct back in control of directory management.

Do a backup of the source before bringing down VMDIRECT. This is in section II.B. Make sure OPERATOR or another user ID that would be logged on during this process has access to the backup USER DIRECT file and can issue DIRECTXA.

When merging configurations keep new SES related configuration records.
(IE: references to user VMANAGER over any old AIM configurations (VMRMAINT))

  1. Install VM:Secure:

    1. Perform a standard SES installation for user ID VMSECURE using the CA VM:Secure Installation Guide. Complete through the Deploy command for the Server
    2. Rename the * CONFIG files on VM:Secure:
      LOGON VMSECURE. Reply 'NO' to 'Startup VMSecure?'
      Rename all the files with a filetype of CONFIG on the 191 disk to have a filetype of CONFIGX. These are skeleton config files and you will merge these files with the current VMDIRECT config files.
    3. Verify VM:Secure disk sizes are adequate.
      Ensure that the VM:Secure 191, 1B0, 1B1, and 1B2 minidisks are at least the same size and blocked the same as the VMDIRECT 191, 1B0, 1B1 and 1B2 minidisks, respectively. Make any necessary changes. This may require you to log off VMSECURE for a while. If you do, remember to say 'no' when prompted to start VMSECURE when you log back on.

  2. Sunset VMDIRECT:

    1. Issue VMDIRECT AUDITEXT to collect the last audit data from VM:Director.
    2. Back up the current source directory using the VM:Secure VMXBKP01 utility to create a USER DIRECT backup.
      ** NOTE ** Make sure this USER DIRECT backup can be accessed by a user that can issue a DIRECTXA command should you need to use it in an emergency to repopulate the object directory.
    3. Bring down VM:Director and ensure no other directory maintenance is performed using this user ID.
      ** NOTE ** We recommend you stay logged on to VMDIRECT until directory management is successsfully transferred to VMSECURE. Though logged on, make sure the product is shutdown using the END command.

  3. Merge/copy pertinent files from VM:Director to VM:Secure

    1. Copy the VM:Direct nnn to the VM:Secure nnn:
      Perform this task for the 191, 1B0, 1B1, and 1B2 minidisks.With both products down, from VMSECURE, link to and access the VMDIRECT minidisk with the same vaddr and COPYFILE all of the files to the VMSECURE minidisk with the same vaddr specifying the OLDD option.

      ** NOTE ** Do not copy the PROFILE EXEC or anything with the filetypes of DIRECT or MODULE from the VMDIRECT disks unless they are local files for product execution such as substitute COPY or FORMAT program.

    2. Merging the VM:Secure CONFIG files:

      VM:Secure has five skeleton config files. They are PRODUCT CONFIGX, DASD CONFIGX, SECURITY CONFIGX, SFS CONFIGX, AUTHORIZ CONFIGX. All of these files are located on the VMSECURE 191 minidisk. VM:Director also has five CONFIG files. They are PRODUCT CONFIG, DASD CONFIG, SECURITY CONFIG, SFS CONFIG and AUTHORIZ CONFIG. For each of these files, you need to combine the records as needed.

      1. PRODUCT CONFIG - compare the two PRODUCT CONFIG files and decide what records you want to keep. Decide if you want to use userexits used in the VM:Direct system on the new VM:Secure system. Also, ensure that the ACCESS RULE record is commented out.
      2. DASD CONFIG - compare the two DASD CONFIG files and decide what records you want to keep. Do not delete any SUBPOOL records. Determine what DASD will be controlled by VM:Secure. More than likely this file will not change from what was on VM:Director unless you are adding DASD to the system as well.
      3. AUTHORIZ CONFIG - compare the two AUTHORIZ CONFIG files and decide what records you want to keep. You will likely need to add some new authorizations for commands that exist in VM:Secure and not in VM:Director.
      4. SECURITY CONFIG - compare the two SECURITY CONFIG files and decide what records you want to keep. Comment out the NORULE record for now.
      5. SFS CONFIG - keep the SFS CONFIG file from the VM:Director system. Do not modify this file.
      6. The VMDIRECT MANAGERS file will need to be copied over as VMSECURE MANAGERS file.

  4. Get directory management working on VM:Secure

    1. Rebuild the IPL disk:

      If VM:Director was using an IPL disk (1B3), recreate this disk using the VM:Secure VMXIPL utility.

      ** NOTE **: You will only need this in place until you install the rules facility. Once the rules facility is installed you won't need the IPLDISK for password expiration. (See the IPLDISK configuration file record in the CA VM:Secure and CA VM:Director Reference Guide in the Configuration File record chapter.)

    2. Give VM:Secure write access to the object directory pack.
      VM:Director would have had it R/W. So, you will need to DETACH 1A0 from VMDIRECT and LINK * 1A0 1A0 MR on VMSECURE to give it write access to the object directory.

    3. Bring VM:Secure up using the SOURCE option. This causes VMSECURE to repopulate the object directory from its 1B0 file. If you don't specify SOURCE, VMSECURE will force one anyway since it will find it wasn't the last product that wrote the object. This is Step 5 in the VMSECURE Installation Guide, Chapter 4.

      ** NOTE ** Review the CA VM:Secure Installation Guide, Chapter 4 Deploying the Product, STEP 6 - Testing CA VM:Secure. There are several examples of commands that will put VM:Secure through some basic tasks.

    4. Once you are confident VMSECURE is doing proper directory management, you can log off VMDIRECT.

  5. Install RULES and PEF (Password Encryption Facility)

    1. Follow VM:Secure Rules Facility documentation to install the rules facility and PEF.

  6. Removing VM:Director from the system

    Once you have completed this conversion remember to remove items associated with the VM:Director product and the VMDIRECT user ID such as:

    • VMDIRECT MODULE on a public disk area
    • Scheduled activities associated with VM:Director
    • Some of these should be converted for use with VM:Secure such as a weekly directory backup
    • VMDIRECT user ID



Additional Information:

Use these as guidelines. The instructions have not been thoroughly tested, so use at your own risk.   Contact CA Technical Support if you have any questions along the way so they can help you make the right choice of what to do.   Again, we recommend you do this process on a test system prior to converting your production VMDIRECT to VMSECURE.



Release: VMDIRE55400-3.1-VM:Director